🤖 feat: add MCP server support

[ibetitsmike]

Summary

Add an in-cluster MCP (Model Context Protocol) server mode to coder-k8s so remote clients can inspect operator-managed resources over HTTP (ideal for kubectl port-forward).

New app mode:

• --app=mcp-http: MCP over Streamable HTTP on :8090

Background

The operator is expected to run in-cluster, and clients will connect remotely over HTTP (for example via kubectl port-forward svc/coder-k8s -n coder-system 8090:8090).

Implementation

• New package internal/app/mcpapp using github.com/modelcontextprotocol/go-sdk/mcp
  • Streamable MCP endpoint: /mcp
  • Probes: /healthz, /readyz
  • Idle Streamable HTTP sessions expire after 15 minutes to reclaim abandoned sessions.
  • Kubernetes clients:
    • controller-runtime client (for Coder CRDs + aggregated API types)
    • client-go clientset (for events + pod logs)
• Tool safety bounds:
  • get_events requires a namespace and is paginated (default limit 200, max 1000, returns a continue token).
  • get_pod_logs applies safe defaults/bounds and marks output with (truncated) when the byte cap is hit.
• app_dispatch.go supports mcp-http and is covered by dispatch tests.
• Deployment + docs:
  • deploy/mcp-deployment.yaml (Deployment: coder-k8s-mcp)
  • deploy/mcp-service.yaml (Service: coder-k8s, port 8090)
  • deploy/rbac.yaml (adds coder-k8s-mcp SA + read-only ClusterRole)
  • docs/how-to/mcp-server.md

MCP tools (MVP)

• list_control_planes
• get_control_plane_status
• list_workspaces
• list_templates
• get_events
• get_pod_logs
• check_health

Validation

• make verify-vendor
• make build
• make test
• make lint

Risks

• HTTP mode does not add auth on its own (intended for in-cluster + port-forward usage).
• RBAC grants read access to pods/log, events, namespaces, and Coder CRDs for the MCP service account.

---

Generated with mux • Model: openai:gpt-5.2 • Thinking: xhigh • Cost: $3.92

https://mux.md/1B5WD#6zoglyfH45bqAQ

[ibetitsmike]

@codex review

Please review for:

• MCP server app mode dispatch (mcp-stdio, mcp-http)
• Tool handlers correctness and error handling
• RBAC scope (read-only) and deploy manifest consistency

[ibetitsmike]

@codex review

Pushed a small follow-up to fix docs-quality (cspell) for health endpoints.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 039ab0b2d6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ibetitsmike]

@codex review

Update: removed mcp-stdio; MCP is now HTTP-only (--app=mcp-http). PR description updated accordingly.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fa6e7b9eb8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ibetitsmike]

@codex review

Addressed the P1 feedback on get_pod_logs (bounded read + safe defaults) and resolved the review thread.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f35420c40b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ibetitsmike]

@codex review

Applied fixes for:

• Streamable HTTP session timeout (idle sessions now expire)
• get_pod_logs bounded output (tailLines default + byte cap)

Resolved the previous review threads.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d88c85687e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ibetitsmike]

@codex review

Addressed feedback:

• get_events now requires a namespace and is paginated/bounded (default limit + continuation).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 252a3781b5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ibetitsmike]

@codex review

Follow-up: adjusted get_pod_logs truncation detection (no apiserver LimitBytes; local cap + marker).

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".